Maritime Blog

Cyber Incident Response in the Maritime Environment (Part 3)

Gnostech continues with its maritime cyber incident response blog series. This month, we will focus on detection and analysis. This phase of the cybersecurity incident response lifecycle is one that cannot be overlooked. Early detection of a cyberattack and/or breach allows ports and other maritime organizations to swiftly contain an incident before it escalates any further.

Organizations must be prepared to detect a variety of cyber incidents and understand that response must be tailored for the various types of attacks and threat vectors that exist. An attack vector is path or means by which a threat actor can gain access to a computer or network server to deliver a payload or malicious outcome. Again, different types of incidents merit different response strategies. According to the National Institute of Standards and Technology (NIST), common attack vectors include external/removable media, attrition, web, email, impersonation, improper usage, and loss or theft of equipment.

For many organizations, it is often challenging to accurately detect and assess possible incidents. Why is this the case? First, systems must be capable of detecting incidents using different automated and manual means, with varying levels of detail and fidelity. Second, the high-volume pre-attack and attack activity are typically very high requiring automated cybersecurity tools that can quickly record, process, and display in human-readable format. Third, technical knowledge and experience are usually necessary for proper and efficient analysis of incident-related data. Although seemingly daunting, having tools, procedures, and personnel in place provide a risk-based methodology to carefully detect, analyze, and prioritize cyber incidents when they occur.

In order to detect the many methods of attack vectors, your organization must be aware of the signs prior to an attack. Signs of attack include precursors, a sign of an incident in the near future, or indicators, a sign that tells you that an incident has occurred. It is extremely rare to have a precursor prior to an attack. If detected, a precursor can prevent the incident from ever occurring, while indicators are more common and take different forms. Both precursors and indicators can be identified through computer security software alerts, logs, publicly available information, and people. Furthermore, tools are an essential component in detecting signs of an attack. Audit reduction tools, system monitoring tools, and patch management tools can par and compile large quantities of data in a readable report to help your organization identify these signs. Having the right system guards in place, and at the right locations, are necessary to detect cyber threats. Firewalls, Routers, Intrusion Protection Systems and Intrusion Detection Systems provide that “onion” layer of protection, but they must be set up and locked down properly. Astonishingly, many incidents go undetected because of misconfigured or improperly installed equipment. System guards must be validated on a regular basis.

As we already mentioned, the volume of potential signs of incidents is typically high for any organization. But, they are not all accurate. That is why you must know your systems’ “normal” by establishing operational baselines for your systems. Recognizing a slight change in audits or activities could be your single clue that someone has maliciously accessed your system. As a general practice, most cybersecurity certifications recommend job rotation and mandatory vacations to protect against a rogue administrator or information system security officer (ISSO). Moreover, the most neglected and most effective detection device is typically the normal user. They are the ones using these systems daily and would be the first to notice an irregular occurrence. Ensure your organization implements regular cyber awareness training keeps employees actively involved in early incident detection.

Once an incident is identified, it must be analyzed. Your incident response team, either internal or externally identified, should determine the incident’s scope, where it originated, and how it occurred. Documentation is also important. The incident response team should document all steps taken from the incident’s detection to the final resolution. Your organization should consider how you will prioritize incidents in the event of simultaneous occurrences. The prioritization of incidents should be based on their functional impact, information impact, and the ability to recover from the incident. Ultimately, detecting and analyzing a cyber incident are key to quick eradication and allow port and maritime organizations to return to normal operations with minimal disruption.

About Gnostech Inc.:Gnostech Inc. is an applied engineering and consulting company with expertise in information assurance and cybersecurity engineering, and major combat and space systems development and integration. For more information, visit www.gnostech.com or stay connected by following us on LinkedIn or @GnostechInc in Twitter.